shaba/one
1
0
Fork 0
mirror of https://github.com/OpenNebula/one.git synced 2025-02-02 09:47:00 +03:00
Code Releases Wiki Activity

Feature: Added LDAP drivers for OpenNebula. Contributed by C12G

Browse Source
This commit is contained in:
Javi Fontan 2011-11-29 17:02:43 +01:00 committed by Ruben S. Montero
parent 4c8f0467d5
commit d756ffe062
6 changed files with 272 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
install.sh
View File

@ -234,6 +234,7 @@ VAR_DIRS="$VAR_LOCATION/remotes \
$VAR_LOCATION/remotes/auth/plain \
$VAR_LOCATION/remotes/auth/ssh \
$VAR_LOCATION/remotes/auth/x509 \
$VAR_LOCATION/remotes/auth/ldap \
$VAR_LOCATION/remotes/auth/server_x509 \
$VAR_LOCATION/remotes/auth/server_cipher \
$VAR_LOCATION/remotes/auth/quota \
@ -335,6 +336,7 @@ INSTALL_FILES=(
IM_PROBES_GANGLIA_FILES:$VAR_LOCATION/remotes/im/ganglia.d
AUTH_SSH_FILES:$VAR_LOCATION/remotes/auth/ssh
AUTH_X509_FILES:$VAR_LOCATION/remotes/auth/x509
AUTH_LDAP_FILES:$VAR_LOCATION/remotes/auth/ldap
AUTH_SERVER_X509_FILES:$VAR_LOCATION/remotes/auth/server_x509
AUTH_SERVER_CIPHER_FILES:$VAR_LOCATION/remotes/auth/server_cipher
AUTH_DUMMY_FILES:$VAR_LOCATION/remotes/auth/dummy
@ -519,6 +521,7 @@ RUBY_LIB_FILES="src/mad/ruby/ActionManager.rb \
src/authm_mad/remotes/quota/quota.rb \
src/authm_mad/remotes/server_x509/server_x509_auth.rb \
src/authm_mad/remotes/server_cipher/server_cipher_auth.rb \
src/authm_mad/remotes/ldap/ldap_auth.rb \
src/authm_mad/remotes/x509/x509_auth.rb"
#-----------------------------------------------------------------------------
@ -632,6 +635,8 @@ AUTH_SERVER_X509_FILES="src/authm_mad/remotes/server_x509/authenticate"
AUTH_X509_FILES="src/authm_mad/remotes/x509/authenticate"
AUTH_LDAP_FILES="src/authm_mad/remotes/ldap/authenticate"
AUTH_SSH_FILES="src/authm_mad/remotes/ssh/authenticate"
AUTH_DUMMY_FILES="src/authm_mad/remotes/dummy/authenticate"
@ -766,6 +771,7 @@ HM_ETC_FILES="src/hm_mad/hmrc"
AUTH_ETC_FILES="src/authm_mad/remotes/server_x509/server_x509_auth.conf \
src/authm_mad/remotes/quota/quota.conf \
src/authm_mad/remotes/ldap/ldap_auth.conf \
src/authm_mad/remotes/x509/x509_auth.conf"
#-------------------------------------------------------------------------------

4
share/etc/oned.conf
View File

@ -591,8 +591,8 @@ HM_MAD = [
AUTH_MAD = [
executable = "one_auth_mad",
arguments = "--authn ssh,x509,server_cipher,server_x509"
# arguments = "--authz quota --authn ssh,x509,server_cipher,server_x509"
arguments = "--authn ssh,x509,ldap,server_cipher,server_x509"
# arguments = "--authz quota --authn ssh,x509,ldap,server_cipher,server_x509"
]
SESSION_EXPIRATION_TIME = 900

63
src/authm_mad/remotes/ldap/authenticate Executable file
View File

@ -0,0 +1,63 @@
#!/usr/bin/ruby
# ---------------------------------------------------------------------------- #
# Copyright 2010-2011, C12G Labs S.L #
# #
# Licensed under the Apache License, Version 2.0 (the "License"); you may #
# not use this file except in compliance with the License. You may obtain #
# a copy of the License at #
# #
# http://www.apache.org/licenses/LICENSE-2.0 #
# #
# Unless required by applicable law or agreed to in writing, software #
# distributed under the License is distributed on an "AS IS" BASIS, #
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
# See the License for the specific language governing permissions and #
# limitations under the License. #
# ---------------------------------------------------------------------------- #
ONE_LOCATION=ENV["ONE_LOCATION"]
if !ONE_LOCATION
RUBY_LIB_LOCATION="/usr/lib/one/ruby"
ETC_LOCATION="/etc/one/"
else
RUBY_LIB_LOCATION=ONE_LOCATION+"/lib/ruby"
ETC_LOCATION=ONE_LOCATION+"/etc/"
end
$: << RUBY_LIB_LOCATION
require 'yaml'
require 'ldap_auth'
user=ARGV[0]
pass=ARGV[1]
secret=ARGV[2]
options=YAML.load(File.read(ETC_LOCATION+'/auth/ldap_auth.conf'))
ldap=LdapAuth.new(options)
user_name=ldap.find_user(user)
if !user_name
STDERR.puts "User #{user} not found"
exit(-1)
end
if options[:group]
if !ldap.is_in_group?(user_name, options[:group])
STDERR.puts "User #{user} is not in group #{options[:group]}"
exit(-1)
end
end
if ldap.authenticate(user_name, secret)
puts "#{user} #{user_name}"
exit(0)
else
STDERR.puts "Bad user/password"
exit(-1)
end

35
src/authm_mad/remotes/ldap/ldap_auth.conf Normal file
View File

@ -0,0 +1,35 @@
# ---------------------------------------------------------------------------- #
# Copyright 2010-2011, C12G Labs S.L #
# #
# Licensed under the Apache License, Version 2.0 (the "License"); you may #
# not use this file except in compliance with the License. You may obtain #
# a copy of the License at #
# #
# http://www.apache.org/licenses/LICENSE-2.0 #
# #
# Unless required by applicable law or agreed to in writing, software #
# distributed under the License is distributed on an "AS IS" BASIS, #
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
# See the License for the specific language governing permissions and #
# limitations under the License. #
# ---------------------------------------------------------------------------- #
# Ldap user able to query, if not set connects as anonymous
#:user: 'admin'
#:password: 'password'
# Ldap authentication method
:auth_method: :simple
# Ldap server
:host: localhost
:port: 389
# base hierarchy where to search for users and groups
:base: 'dc=domain'
# group the users need to belong to. If not set any user will do
:group: 'cn=cloud,ou=groups,dc=domain'
# field that holds the user name, if not set 'cn' will be used
:user_field: 'cn'

96
src/authm_mad/remotes/ldap/ldap_auth.rb Normal file
View File

@ -0,0 +1,96 @@
# ---------------------------------------------------------------------------- #
# Copyright 2010-2011, C12G Labs S.L #
# #
# Licensed under the Apache License, Version 2.0 (the "License"); you may #
# not use this file except in compliance with the License. You may obtain #
# a copy of the License at #
# #
# http://www.apache.org/licenses/LICENSE-2.0 #
# #
# Unless required by applicable law or agreed to in writing, software #
# distributed under the License is distributed on an "AS IS" BASIS, #
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
# See the License for the specific language governing permissions and #
# limitations under the License. #
# ---------------------------------------------------------------------------- #
require 'rubygems'
require 'net/ldap'
class LdapAuth
def initialize(options)
@options={
:host => 'localhost',
:port => 389,
:user => nil,
:password => nil,
:base => nil,
:auth_method => :simple,
:user_field => 'cn'
}.merge(options)
ops={}
if @options[:user]
ops[:auth] = {
:method => @options[:auth_method],
:username => @options[:user],
:password => @options[:password]
}
end
ops[:host]=@options[:host] if @options[:host]
ops[:port]=@options[:port].to_i if @options[:port]
@ldap=Net::LDAP.new(ops)
end
def find_user(name)
begin
result=@ldap.search(
:base => @options[:base],
:filter => "#{@options[:user_field]}=#{name}")
if result && result.first
result.first.dn
else
result=@ldap.search(:base => name)
if result && result.first
name
else
nil
end
end
rescue
nil
end
end
def is_in_group?(user, group)
result=@ldap.search(:base => group, :filter => "(member=#{user})")
if result && result.first
true
else
false
end
end
def authenticate(user, password)
ldap=@ldap.clone
auth={
:method => @options[:auth_method],
:username => user,
:password => password
}
if ldap.bind(auth)
true
else
false
end
end
end

70
src/authm_mad/remotes/ldap/test/ldap_auth_spec.rb Normal file
View File

@ -0,0 +1,70 @@
# ---------------------------------------------------------------------------- #
# Copyright 2010-2011, C12G Labs S.L #
# #
# Licensed under the Apache License, Version 2.0 (the "License"); you may #
# not use this file except in compliance with the License. You may obtain #
# a copy of the License at #
# #
# http://www.apache.org/licenses/LICENSE-2.0 #
# #
# Unless required by applicable law or agreed to in writing, software #
# distributed under the License is distributed on an "AS IS" BASIS, #
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
# See the License for the specific language governing permissions and #
# limitations under the License. #
# ---------------------------------------------------------------------------- #
$: << ".."
require 'ldap_auth'
options={
:host => 'ubuntu-test',
:base => 'dc=localdomain'
}
describe LdapAuth do
before(:all) do
@ldap=LdapAuth.new(options)
end
it 'should find user dn' do
name=@ldap.find_user('user01')
name.should=='cn=user01,dc=localdomain'
name=@ldap.find_user('user02')
name.should=='cn=user02,dc=localdomain'
name=@ldap.find_user('user03')
name.should==nil
name=@ldap.find_user('cn=user01,dc=localdomain')
name.should=='cn=user01,dc=localdomain'
end
it 'should tell if a user is in a group' do
group='cn=cloud,ou=groups,dc=localdomain'
result=@ldap.is_in_group?('cn=user01,dc=localdomain', group)
result.should==true
result=@ldap.is_in_group?('cn=user02,dc=localdomain', group)
result.should==false
end
it 'should authenticate user' do
result=@ldap.authenticate('cn=user01,dc=localdomain', 'password01')
result.should==true
result=@ldap.authenticate('cn=user02,dc=localdomain', 'password02')
result.should==true
result=@ldap.authenticate('cn=user01,dc=localdomain', 'password02')
result.should==false
result=@ldap.authenticate('user01,dc=localdomain', 'password01')
result.should==false
end
end